Each of us knows to closely guard our Social Security numbers, credit card accounts, fingerprints, phone numbers, health records and other personal information.
But within government agencies — which aggregate vast troves of our personally identifiable information (PII) — the management of our private data can be confused, outmoded and insecure, making it tough for agencies to comply with security mandates and exposing each of us to financial and other calamities.
Not comforting, is it?
During Wednesday’s online training entitled “PII Is Everywhere: 3 Ways to Protect the Data,” GovLoop heard from Nicole Willis, Chief Technology Officer in the HHS Office of the Inspector General, and Bill Tolson, Vice President of Global Compliance and eDiscovery with Archive360. Both speakers overviewed three areas — information management, culture and automation — that are most critical to securing our private details.
The overriding takeaway? Everyone is responsible for safeguarding PII.
Management
For Willis, information management is critical to understanding the data life cycle, and that means it’s critical to ensuring the safety of agency information. “We’re doing more transactions across more different devices,” she said, and so a big challenge is “the sheer amount of access to data that so many people have.”
Putting data in the cloud, for all its benefits, creates unique challenges, she added. “You really have to know what your data is, how it’s being used, and as you’re moving it to cloud environments, you need a strong framework” to guide the complexity of managing and using information.
Tolson said that in the past, many organizations split data management duties between data teams and other departments and employees. But by pulling back and creating an overarching data governance strategy, agencies can actively manage and understand the PII they hold, he said.
And one thing to consider is whether an agency holds too much PII and for too long. Tolson said that’s where “data minimization” — in other words, how much information does an agency really need to keep? — becomes important, as does data consolidation. And he also urged agencies to think about “application retirement,” to what happens to the information that an application holds when you stop using it.
Culture
“Everyone plays a role in data management … and having people understand the conscious and strategic use of information” is vital to creating a successful data culture, Willis said. It’s important to proactively communicate to agency staff why they must manage data like the informative and personal asset it is.
Tolson said that creating an environment in which agency employees avoid phishing emails, for example, isn’t enough. The problem is that “Employees and end users may not recognize PII data and understand that it’s protected [by laws and regulations],” he noted.
And what about those mandates and the millions of data points that agencies control?
Tolson said that “if the data on my laptop needs to be centrally managed, in various industries that may be a cultural issue because we’ve been allowed to think ‘It’s my data because it’s on my laptop.’ But now the agency needs to say, “No, that’s the agency’s.’”
Automation
Tolson believes that agencies need “AI and machine learning that deals with data behind the scenes” to help avoid employees’ inadvertent release of PII. He said “highly accurate AI will be a huge time saver,” and he encouraged using the cloud.
“But the processes that are created and the programs that are installed need to have a much better ease of use,” he said. Yes, agencies should train their employees, but making programs easier to use goes beyond that.
Willis echoed the call for automation. She said agencies should “look at ways to automate the monitoring and visibility of data and watch how data is traveling across applications and environments.” Over the next two years, she said, automation tools will become increasingly critical to protecting PII.
As for advice to agencies and employees contemplating data mandates and other challenges, Tolson was straightforward: “Embrace the change — because it’s going to happen anyway.”
This online training brought to you by:
Leave a Reply
You must be logged in to post a comment.